From owner-freebsd-hackers Tue Feb 10 19:13:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA16224 for hackers-outgoing; Tue, 10 Feb 1998 19:13:34 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from nash.pr.mcs.net (nash.pr.mcs.net [204.95.47.72]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA16213 for ; Tue, 10 Feb 1998 19:13:28 -0800 (PST) (envelope-from alex@nash.pr.mcs.net) Received: (from alex@localhost) by nash.pr.mcs.net (8.8.8/8.8.7) id VAA08417; Tue, 10 Feb 1998 21:12:22 -0600 (CST) (envelope-from alex) Message-Id: <199802110312.VAA08417@nash.pr.mcs.net> Date: Tue, 10 Feb 1998 21:12:21 -0600 (CST) From: Alex Nash Subject: Re: ipfw logs ports for fragments To: avalon@coombs.anu.edu.au cc: archie@whistle.com, freebsd-hackers@FreeBSD.ORG In-Reply-To: <199802102235.QAA26217@Mailbox.mcs.net> MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 11 Feb, Darren Reed wrote: >> Now the question is.. which exception to make? >> >> #1 Don't even TRY to match rules containing port ranges and/or flags >> to non-zero offset fragments. > > Correct. > >> #2 Match port range/flag rules to non-zero offset fragments by testing >> the rule AS IF it did not contain the port range and/or flag >> restrictions. > > Wrong. I think Darren and I are in agreement on this. The patches below modify ipfw to: - Not match fragmented packets (where offset != 0) if the rule specifies a port and/or TCP flags - Match fragmented packets (where offset != 0) if the rule does not specify a port and/or TCP flags Naturally, the standard source, dest, protocol, interface, etc. fields must also match in the above cases. Alex Index: ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.77 diff -c -r1.77 ip_fw.c *** ip_fw.c 1998/02/09 06:10:10 1.77 --- ip_fw.c 1998/02/11 02:58:35 *************** *** 459,466 **** if (offset == 1) /* cf. RFC 1858 */ goto bogusfrag; ! if (offset != 0) /* Flags, ports aren't valid */ break; PULLUP_TO(hlen + 14); tcp = (struct tcphdr *) ((u_long *)ip + ip->ip_hl); if (f->fw_tcpf != f->fw_tcpnf && !tcpflg_match(tcp, f)) --- 459,476 ---- if (offset == 1) /* cf. RFC 1858 */ goto bogusfrag; ! if (offset != 0) { ! /* ! * TCP flags and ports aren't available in this ! * packet -- if this rule specified either one, ! * we consider the rule a non-match. ! */ ! if (f->fw_nports != 0 || ! f->fw_tcpf != f->fw_tcpnf) ! continue; ! break; + } PULLUP_TO(hlen + 14); tcp = (struct tcphdr *) ((u_long *)ip + ip->ip_hl); if (f->fw_tcpf != f->fw_tcpnf && !tcpflg_match(tcp, f)) *************** *** 474,481 **** { struct udphdr *udp; ! if (offset != 0) /* Ports aren't valid */ break; PULLUP_TO(hlen + 4); udp = (struct udphdr *) ((u_long *)ip + ip->ip_hl); src_port = ntohs(udp->uh_sport); --- 484,500 ---- { struct udphdr *udp; ! if (offset != 0) { ! /* ! * Port specification is unavailable -- if this ! * rule specifies a port, we consider the rule ! * a non-match. ! */ ! if (f->fw_nports != 0) ! continue; ! break; + } PULLUP_TO(hlen + 4); udp = (struct udphdr *) ((u_long *)ip + ip->ip_hl); src_port = ntohs(udp->uh_sport); *************** *** 866,871 **** --- 885,903 ---- (frwl->fw_dst.s_addr & (~frwl->fw_dmsk.s_addr))) { dprintf(("%s rule never matches\n", err_prefix)); return(NULL); + } + + if ((frwl->fw_flg & IP_FW_F_FRAG) && + (frwl->fw_prot == IPPROTO_UDP || frwl->fw_prot == IPPROTO_TCP)) { + if (frwl->fw_nports) { + dprintf(("%s cannot mix 'frag' and ports\n", err_prefix)); + return(NULL); + } + if (frwl->fw_prot == IPPROTO_TCP && + frwl->fw_tcpf != frwl->fw_tcpnf) { + dprintf(("%s cannot mix 'frag' with TCP flags\n", err_prefix)); + return(NULL); + } } /* Check command specific stuff */ Index: ipfw.8 =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.37 diff -c -r1.37 ipfw.8 *** ipfw.8 1998/01/07 02:23:03 1.37 --- ipfw.8 1998/02/11 02:57:41 *************** *** 289,294 **** --- 289,300 ---- .Pa /usr/src/sys/netinet/ip_fw.h ) ports. .Pp + Fragmented packets which have a non-zero offset (i.e. not the first + fragment) will never match a rule which has one or more port + specifications. See the + .Ar frag + option for details on matching fragmented packets. + .Pp Rules can apply to packets when they are incoming, or outgoing, or both. The .Ar in *************** *** 360,365 **** --- 366,375 ---- .It frag Matches if the packet is a fragment and this is not the first fragment of the datagram. + .Ar frag + may not be used in conjunction with either + .Ar tcpflags + or TCP/UDP port specifications. .It in Matches if this packet was on the way in. .It out *************** *** 399,404 **** --- 409,420 ---- .Ar urg . The absence of a particular flag may be denoted with a ``!''. + A rule which contains a + .Ar tcpflags + specification can never match a fragmented packet which has + a non-zero offset. See the + .Ar frag + option for details on matching fragmented packets. .It icmptypes Ar types Matches if the ICMP type is in the list .Ar types . Index: ipfw.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v retrieving revision 1.53 diff -c -r1.53 ipfw.c *** ipfw.c 1998/01/08 03:03:50 1.53 --- ipfw.c 1998/02/11 02:57:54 *************** *** 1108,1113 **** --- 1108,1122 ---- } else if ((rule.fw_flg & IP_FW_F_OIFACE) && (rule.fw_flg & IP_FW_F_IN)) show_usage("can't check xmit interface of incoming packets"); + /* frag may not be used in conjunction with ports or TCP flags */ + if (rule.fw_flg & IP_FW_F_FRAG) { + if (rule.fw_tcpf || rule.fw_tcpnf) + errx(EX_USAGE, "can't mix 'frag' and tcpflags"); + + if (rule.fw_nports) + errx(EX_USAGE, "can't mix 'frag' and port specifications"); + } + if (!do_quiet) show_ipfw(&rule, 10, 10); i = setsockopt(s, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe hackers" in the body of the message